qcacld-3.0: Fix buffer overflow in htt_t2h_msg_handler

Currently variable "num_mpdu_ranges" is from message, which is used
directly without any validation which causes buffer over-write.

To address this issue add check for the valid num_mpdu_ranges

Change-Id: I3f340b913f3063b24c14644ea723a99690e89dcf
CRs-Fixed: 2146934

core/dp/htt/htt_t2h.c

@@ -648,6 +648,7 @@ void htt_t2h_msg_handler(void *context, HTC_PACKET *pkt)
 		unsigned int num_msdu_bytes;
 		uint16_t peer_id;
 		uint8_t tid;
+		int msg_len = qdf_nbuf_len(htt_t2h_msg);
 
 		if (qdf_unlikely(pdev->cfg.is_full_reorder_offload)) {
 			qdf_print("HTT_T2H_MSG_TYPE_RX_IND not supported ");
@@ -662,6 +663,10 @@ void htt_t2h_msg_handler(void *context, HTC_PACKET *pkt)
 				tid);
 			break;
 		}
+		if (msg_len < (2 + HTT_RX_PPDU_DESC_SIZE32 + 1) * sizeof(uint32_t)) {
+			qdf_print("HTT_T2H_MSG_TYPE_RX_IND, invalid msg_len\n");
+			break;
+		}
 		num_msdu_bytes =
 			HTT_RX_IND_FW_RX_DESC_BYTES_GET(
 				*(msg_word + 2 + HTT_RX_PPDU_DESC_SIZE32));
@@ -677,6 +682,12 @@ void htt_t2h_msg_handler(void *context, HTC_PACKET *pkt)
 		num_mpdu_ranges =
 			HTT_RX_IND_NUM_MPDU_RANGES_GET(*(msg_word + 1));
 		pdev->rx_ind_msdu_byte_idx = 0;
+		if (qdf_unlikely(pdev->rx_mpdu_range_offset_words + (num_mpdu_ranges * 4) > msg_len)) {
+			qdf_print("HTT_T2H_MSG_TYPE_RX_IND, invalid mpdu_ranges %d\n",
+				num_mpdu_ranges);
+			WARN_ON(1);
+			break;
+		}
 
 		ol_rx_indication_handler(pdev->txrx_pdev,
 					 htt_t2h_msg, peer_id,